×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Locking Down Linux Desktops In an Enterprise?

kdawson posted more than 5 years ago | from the just-the-policy-ma'am dept.

Businesses 904

supermehra writes "How do you move 300 desktops, locked down with Windows ADS Group Policies (GPO), over to Ubuntu desktop? We have tried Centrify, Likewise, Gnome Gconf, and the like. Of course, we evaluated SuSe Desktop Enterprise and RedHat Desktop. Samba 4.0 promises the server side, however nothing for desktop lockdown. And while gnome gconf does offer promise, no real tools for remotely managing 300 desktops running gnome + gconf exist. All the options listed above are expensive, in fact so expensive that it's cheaper to leave M$ on! So while we've figured out the Office suite, email client, browser, VPN, drawing tools, and pretty much everything else, there seems to be no reasonable, open source alternative to locking down Linux terminals to comply with company policies. We're not looking for kiosk mode — we're looking for IT policy enforcement across the enterprise. Any ideas ladies & gentlemen?"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

904 comments

Can someone wash my underwear? (-1, Troll)

Anonymous Coward | more than 5 years ago | (#27128533)

I made an obama in my pants!

Re:Can someone wash my underwear? (-1, Troll)

Anonymous Coward | more than 5 years ago | (#27128699)

The linux desktop is looser than CmdrTaco's asshole on Sunday morning. Good luck locking THAT down.

How about: less douchebaggery? (0, Troll)

mr_bubb (1171001) | more than 5 years ago | (#27128555)

Instead of spending $$$ on bondage and discipline, how about treating your users like adult human beings?

Re:How about: less douchebaggery? (5, Insightful)

Registered Coward v2 (447531) | more than 5 years ago | (#27128655)

Instead of spending $$$ on bondage and discipline, how about treating your users like adult human beings?

Because a number of them will wind up installing aps that put the company at risk?

Re:How about: less douchebaggery? (3, Informative)

mysidia (191772) | more than 5 years ago | (#27128889)

You can't install apps without root.

You can't get root without proving your competence and signing an agreement that says you will only install apps that have been approved.

It changes from being a "lockdown the desktop" problem, to an "unlock the desktop for people who absolutely need it, and closely monitor their activities" problem.

Re:How about: less douchebaggery? (5, Insightful)

RichardJenkins (1362463) | more than 5 years ago | (#27128925)

You think using technology to help enforce an IT policy and respecting your employees are mutually exclusive aims? I strongly disagree.

A small contingent of 'bad apples' can do serious harm if you do not effectively enforce IT policies. It's not possible to guarantee there is no one like this in your company, so you should protect the company and other staff from from them.

Respecting staff won't stop douchebags being douchebags and screwing up your systems.

Re:How about: less douchebaggery? (4, Insightful)

man_of_mr_e (217855) | more than 5 years ago | (#27128837)

Probably because you can't guarantee that the users will ACT like adult human beings.

Any corporate policy that relies on "Let's just hope users don't do bad things" is doomed to fail.

Re:How about: less douchebaggery? (5, Funny)

Anonymous Coward | more than 5 years ago | (#27128979)

Doesn't work:

bash-3.2$ less douchebaggery
douchebaggery: No such file or directory
bash-3.2$

This is linux's strength, actually (0)

Anonymous Coward | more than 5 years ago | (#27128557)

Give users unprivileged accounts, and either
1) uninstall the "forbidden" programs
or
2) chmod them so root can access.

Piece of cake.
Or, am I missing something?

Re:This is linux's strength, actually (0)

Anonymous Coward | more than 5 years ago | (#27128611)

Or, am I missing something?

Yes, you're missing the point entirely.

Puppet (5, Informative)

BSAtHome (455370) | more than 5 years ago | (#27128559)

Use puppet to enforce configuration: http://reductivelabs.com/products/puppet/ [reductivelabs.com]

Re:Puppet (5, Informative)

binner1 (516856) | more than 5 years ago | (#27128723)

I was going to say CFEngine, but that's only because it's what I'm currently using. I'd love to move to puppet but at the time we deployed CFEngine, puppet wasn't ready for all the things we needed it to do (windows and solaris in addition to linux)...this has likely changed now, but we've got a lot of cf scripts that would need conversion.

Whichever tool is chosen (there are others in this space too), I believe this is the correct answer. I know that CFEngine scares a lot of people off (and maybe puppet does too?), but it is an excellent way to manage a large set of hosts.

-Ben

M$ (-1, Troll)

Clay Pigeon -TPF-VS- (624050) | more than 5 years ago | (#27128563)

How old are you subby, 12? M$ is lame as humor, and even worse when used seriously. Grow up.

Re:M$ (0, Offtopic)

Bryansix (761547) | more than 5 years ago | (#27128623)

When a software company cuts off an operating system at the knees as Microsoft has done with XP in order to promote you to spend more money then the albeit childish acronym of "M$" does indeed apply. The sad part is that Vista STILL isn't ready for primetime and while Windows 7 shows promise as the real Vista SP2; it is not out yet and so you are stuck supporting users on an OS which isn't even for sale anymore.

Re:M$ (3, Insightful)

saleenS281 (859657) | more than 5 years ago | (#27128787)

Ya, NO linux based company would EVER do something like that.

www.redhat.com

What's Ubuntu's LTS support? 5 years? And how long has XP been supported? Right...

Re:M$ (0)

Anonymous Coward | more than 5 years ago | (#27128809)

Eat my shorts.

IT policy? (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#27128569)

Sorry - after dealing with an IT group who thinks they know best for every situation, and thus promoting things like "All virus scans will be run during normal business hours", "No linux systems on the production networks", etc. I have no desire to help "the man".

Mittens!!! (5, Funny)

RecursiveLoop (1264802) | more than 5 years ago | (#27128573)

Issue everyone Mittens!!!! They are relatively cheap and make it oh so hard to type terminal commands when worn.

Re:Mittens!!! I was going to say: Give everyone (5, Funny)

davidsyes (765062) | more than 5 years ago | (#27128959)

Paws... Then they could have Caps Paws...

But, if Puppet offers tiered services, then you can evaluate the... Puppet Tiers (LOL)... Then controlling the employees simply becomes a matter of ... pulling strings...

Re:Mittens!!! (0)

Anonymous Coward | more than 5 years ago | (#27128967)

and it feels like a stranger when you're jacking off.

Security-Enhanced Linux (1)

Zsub (1365549) | more than 5 years ago | (#27128575)

SELinux might be worth looking into? It can do some very specific policy-enforcement, although I am unsure wether or not it can do so on a per-user or per-group basis...

Re:Security-Enhanced Linux (4, Informative)

magamiako1 (1026318) | more than 5 years ago | (#27128661)

SELinux is not what he's looking for.

Re:Security-Enhanced Linux (2, Funny)

Zsub (1365549) | more than 5 years ago | (#27128719)

Did you _have_ to wave your hand in that suggestive manner, as if - SELinux is not what he is looking for. Move along.

And it indeed appears to me that it is not what he is looking for.

i am interessted in this too (1)

Ruede (824831) | more than 5 years ago | (#27128577)

well connection to the outside would be possible with certain network policies... proxy and such... but on the desktop by itself hmmm dunno

You don't (-1, Troll)

duffbeer703 (177751) | more than 5 years ago | (#27128585)

Linux isn't ready for the enterprise desktop. We've tried for ages -- it's not as good as windows at the moment.

Re:You don't (0)

Nursie (632944) | more than 5 years ago | (#27128651)

Why is this insightful? It's no more insightful than saying "Linux Sux!"

Linux is fine for the enterprise desktop.

Want to lock stuff down? Don't give users root. If you want really fine-grained control, use SELinux.

What's the issue?

Re:You don't (1, Informative)

leenks (906881) | more than 5 years ago | (#27128785)

And that stops users from downloading and running applications how?

There is a lot more to locking down desktops in enterprises than not giving users admin rights.

Re:You don't (1)

DamnStupidElf (649844) | more than 5 years ago | (#27128847)

Unless users are only given a restricted shell, what prevents them from writing applications in shell script and running them?

It's either a kiosk or a fully functional Universal Turing Machine...

Re:You don't (0)

timmarhy (659436) | more than 5 years ago | (#27128829)

i'd say linux CAN be great for some places, what it lacks is support for many specialised apps businesses use under windows. if i had a run of the mill office that did nothing but process internal forms, email and internet access, i'd set them up with dumb terminals logging into a central server for apps, and a 2nd server fronting as a firewall with a proxy and other services. dumb terminals are cheap and low maintanence, the server would be a xeon with 4 gig of ram and a quality raid controller and scsi disks + tape backup (see cheap to setup).

your pain starts when you have professionals (engineers,accountants,draftsmen)in the office that need planning or specalised applications, i wouldn't touch that with a 10 foot pole.

Re:You don't (0)

Anonymous Coward | more than 5 years ago | (#27128665)

This one's actually got the highest score so far? WTF?

Don't Project Round Peg Into Square Hole. (1)

twitter (104583) | more than 5 years ago | (#27128735)

Trying to make GNU/Linux "as good as Windows" is a bad idea, it's better to make company policy as good as free software instead. Because free software lacks most of the problems non free software does, it does not need as much "lockdown". Software management, without non free licenses is also much easier - you can set up your own repository with custom meta packages and have all of your machines do their updates as a cron job. If you look for Windows style tools and try to force free software to act like Windows, you will get something that sucks almost as much as Windows.

Warning. (0)

Anonymous Coward | more than 5 years ago | (#27128827)

The user "twitter" is a twitter sock puppet. Notice the peculiar mispellings.

Re:You don't (3, Interesting)

Ex-Linux-Fanboy (1311235) | more than 5 years ago | (#27128743)

You know, as much as I agree with you, I wish it were not so.

More and more things are getting tied to a computer. Back in the early 1990s, a computer was generally used for number crunching and document managing. People (generally) did not use a computer to listen to music, watch a movie, meet people, or to stay in touch with one's friends.

Now people are using computers for all of these functions. It's important that things we need for daily living in the 21st century are not controlled by a single corporation with a known pattern of abusive behavior. Microsoft's latest abusive behavior--suing TomTom for having FAT32 support on their device--shows that the only thing stopping Microsoft from abusing their monopoly are antitrust laws and community activism.

This is why Linux needs to fix the issues that make Linux not a suitable desktop for end users, or why one of the other possible open-source desktop OSes (Haiku [haiku-os.org], Syllable [syllable.org], etc.) needs to become a suitable end-user desktop.

I use Windows right now instead of Linux because I don't feel Linux is ready for the desktop, but most of my partitions for "extra data" are formatted using the second extended filesystem (Linux's "base" stand file system) and read in Windows using ext2fsd [ext2fsd.com] because I don't want my data to be held hostage by Microsoft patents.

So, yes, I really want Linux to succeed.

- Sam

Is Samba 4 ready? (5, Informative)

ikirudennis (1138621) | more than 5 years ago | (#27128591)

from the FAQ:

Can I use Samba 4 on my production server right now? No. Samba 4 is still under heavy development. Samba 4 is not due to replace Samba 3 soon. Many of the required core features are present, but the code is still alpha and user tools as well as some core features are still missing.

This is very gay (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#27128593)

What a bad idea. Linux is too cool to be locked away!

LSTP (4, Insightful)

IANAAC (692242) | more than 5 years ago | (#27128599)

Why not use LSTP? That way you only have to worry about whatever image(s) you keep on the server.

stay with ms (0, Informative)

Anonymous Coward | more than 5 years ago | (#27128603)

Stay with MS.

switchting to linux would mean: more work for you, more money spent and frustrated office workers.

Re:stay with ms (-1, Troll)

Anonymous Coward | more than 5 years ago | (#27128619)

Shut up Ballmer, you nigger dick sucking faggot.

Come on... (3, Insightful)

Anonymous Coward | more than 5 years ago | (#27128615)

so expensive that it's cheaper to leave M$ on!

If you want to be taken seriously, please lern 2 spel currektly. I'm not a Microsoft fan, but it sure is annoying seeing it spelt like that.

dumb terminals? (5, Insightful)

timmarhy (659436) | more than 5 years ago | (#27128621)

if your talking about dumb terminals, your making me hot. sexy little gadgets with no fans or moving parts. in this instance you can lock down any of the major desktop environments by modifying their default user to have a really low level of user access , so when you create a new user it inherits these settings. gnome,kde and xfce all have this ability. and since they are terminals an logging into a central server management is dead easy.

if you are talking stand alone desktops then it's not so great. linux doesn't really have anything as good as group polices and active directory, it's part of the reason corperate networks are mostly windows.

What are you trying to do? (5, Insightful)

Todd Knarr (15451) | more than 5 years ago | (#27128629)

I guess the first question is: what are you trying to accomplish? Are you trying to prevent users from installing additional software locally? Are you trying to insure that particular applications get particular preferences set and users are prevented from changing those settings? What? Just saying "lock down the desktops" doesn't say what you're trying to actually do.

Remember that Unix is, in large part, designed to work correctly without needing to be locked down. Much is controlled simply by the system-wide configuration files. The rest tends to be controlled on the server side, so that users simply can't do unacceptable things regardless of how they configure their local user account.

Re:What are you trying to do? (4, Insightful)

jtownatpunk.net (245670) | more than 5 years ago | (#27128713)

Never underestimate a user's ability to fark up something that is, in theory, unfarkupable.

Re:What are you trying to do? (4, Insightful)

fm6 (162816) | more than 5 years ago | (#27128993)

I like this version better: No system is foolproof, because fools are fiendishly clever.

Re:What are you trying to do? (4, Insightful)

QuantumRiff (120817) | more than 5 years ago | (#27128789)

You are looking at it from a system security perspective, not "IT Policies" perspective. He needs to be able to disallow solitare, force all connections through a proxy server for web filtering, pass down 802.1x keys, force people to use a certain network printer, etc...

Re:What are you trying to do? (4, Interesting)

whoever57 (658626) | more than 5 years ago | (#27128871)

You are looking at it from a system security perspective, not "IT Policies" perspective. He needs to be able to disallow solitare, force all connections through a proxy server for web filtering, pass down 802.1x keys, force people to use a certain network printer, etc...

All these can be enforced using control of the services. The problem statement reflects the Microsoft/Windows way of doing things. Turn it around and ask how the network can enforce the policies.

Proxy: the firewall can enforce this. Users don't use the correct proxy? No web access. Printers: Configure the printer to allow only certain users/groups, etc. etc..

MOD PARENT UP (5, Interesting)

serviscope_minor (664417) | more than 5 years ago | (#27128797)

Mod parent UP. The OP is thinking about it wrong: ie how to manage unix in the style of windows. Don't give them root and they can't install software. Make sure the home directories an /tmp is moutes -noexec and there is NO WAY that they can run programs which aren't already installed.

Now they can have free run of the system and can't do anything harmful. Still not satisfied? Remove all executables that they shouldn't run, or make them a-rx g-rx, and don't have users in the group able to run them.

You can create an RPM to do this for you, then set up the whole thing automagically using Redhat's or SUSE's tools (one is called kickstart). I suspect it is straightforward on debian based systems, too.

If you have the autoupdater running (good for security), then update the setup RPM, put it in your local repository, and sit back as all the desktops get updated with new settings.

Alternatively, you can bodge it with shell scripts and a cron job :-)

 

Re:MOD PARENT UP (5, Insightful)

binner1 (516856) | more than 5 years ago | (#27128975)

While I _mostly_ agree with this, a nice policy management (configuration management mostly) tool is also essential when dealing with lots of boxes. You want a new setting for all Gnome desktops, simply add it to the policy tool and let it distributed any required config files or run commands to change the setting, etc. This type of thing used to be done with things like: for h in $all_my_hosts; do ssh $h /tweak/some/setting; done

CFEngine and Puppet and friends are a nicer way of doing this. They're "self documenting" in that your write the code and then you can later very easily see when you added some configuration bits, etc...version control your configuration management scripts and you get even better tracking of who did what and when. (A side question: How does one do the version control type stuff in AD?)

While kickstart is great (I use it), it only goes so far. Having a policy manager on top of that (installed and configured in the kickstart) is a beautiful thing!

-Ben

Re:What are you trying to do? (4, Interesting)

msobkow (48369) | more than 5 years ago | (#27128843)

I admit I'm puzzled at the issue of "lockdown" myself.

For years whenever we needed to lock down a *nix account, the sysadmins would install the software as root and set up the user accounts in capture mode (i.e. .login starts the X session, and the X session doesn't have the ability to add/remove programs.)

I can't imagine needing to lock down a session any tighter than that, and I've never seen a Windows desktop that was locked down any tighter, either.

Re:What are you trying to do? (2, Interesting)

poetmatt (793785) | more than 5 years ago | (#27128917)

This was the idea that came in my mind as to a method of locking down desktops. I mean really, it's not that hard considering they won't be able to run a .deb or .rpm or whatever package they attempt once it's locked like that anyway.

It honestly surprises me this is a slashdot article asking for an answer that is as simple as you wrote.

Re:What are you trying to do? (1)

Eil (82413) | more than 5 years ago | (#27128951)

'Zactly. The reason for locking down a Windows machine is to prevent the user from doing stupid things on the system level. On Unix, you just take away the root password.

Every year, I help set up a terminal server with 20-30 thin-client terminals running Ubuntu at a local open source convention. The terminals are completely open to the public and not once has anyone (intentionally or otherwise) been able to do anything harmful. We do absolutely nothing to lock them down, because even right out of the box, there's nothing to lock down.

If we can withstand J. Random Public having full access to a standard user desktop for a weekend, the average employee is going to be completely harmless.

That is, unless the submitter is one those power-hungry admins who has make users' lives as inconvenient has humanly possible. In which case, they should just deploy serial terminals to every desk and only give them command line access via rsh.

Not that difficult.... (1)

Pvt_Ryan (1102363) | more than 5 years ago | (#27128631)

I locked my linux box down last night with a chain & padlock.. I would say for a corporate environment you may need a bigger chain & padlock..

Indeed it is a problem (5, Insightful)

Anonymous Coward | more than 5 years ago | (#27128635)

In linux world, there is yet to be a quick, 3 question and 1 button way to add the computer to a domain and then receive straight away:
- group policies - security and software install
- single password store (with cached passwords for notebooks that go away from the network)
- Patch update policy

The only thing linux does right is work on technologies such as DHCP that were written for OTHER unix O/S'.

Ubuntu is not interested in those things, they're more interested in making stories about koalas and hiding popup boxes.

Gnome is dead, Mono and moonlight took all their brains away.

kde is making a next-gen desktop but have yet to understand why so many IT shops have kept Windows at the office.

This is all depressing. Windoze will never be replaced at the current rate.

What lockdown do you need? (5, Informative)

whoever57 (658626) | more than 5 years ago | (#27128641)

A desktop where the user does not have su/sudo access is already pretty locked down -- the user can only write to his home directory and other directories that he/she has access to through normal permissions.

If you really want to lock it down, the user's home directory can be mounted in such a way that files cannot be executed from there.

What elso is required?

Re:What lockdown do you need? (1)

Philip K Dickhead (906971) | more than 5 years ago | (#27128815)

Yeah, what's wrong with no su/sudo and /home mounted nodev and noexec?

Besides, if they 'drift' in config, you can blast a tarfile down afterhours. Tough beans.

Re:What lockdown do you need? (4, Informative)

shutdown -p now (807394) | more than 5 years ago | (#27128831)

What elso is required?

The ability to quickly and easily set it all up on all machines on the network at once, and to change permissions later with equal ease, without having to ssh into each and every machine on the network.

Re:What lockdown do you need? (2, Interesting)

whoever57 (658626) | more than 5 years ago | (#27128957)

The ability to quickly and easily set it all up on all machines on the network at once, and to change permissions later with equal ease, without having to ssh into each and every machine on the network.

A quickstart file to install the machine correctly in the first place, use the autoupdater to update based on your own repository, with custom RPMs to push out further changes. Or, have the machine run a crontab that runs a script from a network-accessible location periodically -- and that script can set up various permissions as required. Or, the script could be local, and rsync is used to push out updates to the script when required. rsync can be set up to use ssh with unencrypted keys allowing a secure root login with no requirement to type a password. There are lots of ways to do it.

Re:What lockdown do you need? (0)

Anonymous Coward | more than 5 years ago | (#27128989)

Run them all on a central server? I mean, this is what unix was designed for. You can do X to the client.

Users break everything (0)

Anonymous Coward | more than 5 years ago | (#27128945)

What else is required?

If you imagine the users are school children (a good use of open source) that will try something just because they MIGHT be able to.

Everything from installs, running certain file types, giving access to certain network shares and not others, software allocation, shortcut allocation (for different users having different accessability of the software on the machine), modification of local drives, the ability to see local drives and the resetting of any of this from a central area.

What else is required? (1)

benjamindees (441808) | more than 5 years ago | (#27128953)

Windows admins typically need some checkboxes to click in order to give them a sense of authority and accomplishment, along with some buzzword-laden "policy enforcement" protocol-speak to regale their boss with, in order to give the impression that they impart value to the enterprise.

Whether any of it is necessary or actually accomplishes anything in the way of promoting productive work or preventing users from screwing up their systems is completely beside the point.

The only point is to give the impression that the admin is in "control" of the "network systems". The fact that a stray boot floppy or any of a handful of zero-day exploits (or even something as mundane as an end-user hacking around restrictions with links to cmd.exe and rundll) completely undermines their "authority" makes absolutely no difference. To the average pointy-haired-boss, Windows is a bastion of command and control (and therefore productive employees) and their trusty Windows admin is the gateway to maintaining law and order in the corporate environment.

Tripwire will do it. (0)

Anonymous Coward | more than 5 years ago | (#27128645)

Tripwire will do it.
The real thing not the free one.
You can get canned policies for pci compliance etc.

no sudo? (1)

mediis (952323) | more than 5 years ago | (#27128669)

It depends on what group policies you have and what you want to do? First, don't use Ubuntu, or if you do, make sure to take the user out of the mix for sudo. Remove sudo and root access. Place everyone in LDAP and restrict / grant user access via ldap groups. Make all shells restricted shells. run ssh / vnc and an automated daemon for pushing out policy changes.

Huh? Its unix (4, Informative)

nurb432 (527695) | more than 5 years ago | (#27128671)

If you just manage the users properly and NFS mount applications it almost takes care of its self and don't need an extra layer of complexity.

use PXE+XDMCP and the workstations be come irrelevant

Re:Huh? Its unix (1)

spribyl (175893) | more than 5 years ago | (#27128749)

I am actually a little confused by this post what is the person really trying to do.

To add to this posts parent has you looked at ldap with automount/nfs.

One of the above posters event mentioned sudo with supports ldap config.

Re:Huh? Its unix (1)

Pvt_Ryan (1102363) | more than 5 years ago | (#27128805)

we looked at this a while back however it ldap authentication + automount requires that the ldap directory be setup for anonymous access. Due to our mixed environment we have had to stick with NIS & autofs.
It has been a long time since we look though so it is possible that this has been resolved.

Re:Huh? Its unix (0)

Anonymous Coward | more than 5 years ago | (#27128929)

This has been possible for years, though it requires a bit of hacking at config files to get it to work.

Re:Huh? Its unix (2, Interesting)

spribyl (175893) | more than 5 years ago | (#27128965)

I would take a look again.

One of the features of ldap is you can restrict who has access to what part of the directory.

Though I will grant if mix environment you mean all the flavours on Unix that is quite the challenge.

Re:Huh? Its unix (3, Insightful)

Facetious (710885) | more than 5 years ago | (#27128935)

Finally! Thank you. I can't believe I had to read so many posts on slashdot of all places before someone points out the obvious. I recommend the OP googles "root over NFS." To reiterate, don't try to do Linux the Microsoft way. Also, please disregard all these stupid AC posts about Linux not being ready for the corporate desktop. Unemployed MCSEs are just yanking your chain.

Big Blue has the awnser (0)

Anonymous Coward | more than 5 years ago | (#27128687)

A while ago I was daunted with the similar problem, The solution was came from a "Black Book" that IBM has out on the net, See if these help you

    http://www-03.ibm.com/linux/migrate.html

http://searchenterpriselinux.techtarget.com/news/article/0,289142,sid39_gci1017088,00.html

Isn't this something Unix solved decades ago? (2, Insightful)

darthwader (130012) | more than 5 years ago | (#27128689)

You set up the machines to all boot over the network, from a common image, and to load all system files from a NFS share.

The only thing on the workstation is the user's $HOME directory, and some local stuff like /tmp, /var, etc.

Your users don't get root on their workstations. They shouldn't need it. This isn't like Windows, where a huge number of apps don't run correctly if you don't have admin rights. Linux is designed under the assumption that users don't have admin rights.

Maybe I'm being naive, but what more do you need?

Re:Isn't this something Unix solved decades ago? (2, Insightful)

magamiako1 (1026318) | more than 5 years ago | (#27128703)

To protect the users from themselves...PXE booting is not the answer.

He wants to enforce things such as proxy settings, desktop settings, auditing, etc.

Re:Isn't this something Unix solved decades ago? (1)

binarylarry (1338699) | more than 5 years ago | (#27128721)

Duh, he's clearly looking for a gui wizard tool that does this all for him.

Like the one for Windows. (haha)

Re:Isn't this something Unix solved decades ago? (0)

QuantumG (50515) | more than 5 years ago | (#27128807)

This is true, if you don't want your employees to be productive beyond the 6 apps you've installed for them.. but if you want them to actually be able to use the wide variety of open source applications that are available then clearly they need to be able to run a package manager and install new apps. This basically means giving them root.

A Little Offtopic (1)

DaMattster (977781) | more than 5 years ago | (#27128693)

I know this is a little bit off topic but how are you planning to replace Collaborative services like groupware? There doesn't exist any really good F/OSS groupware alternatives. The ones out there are really crippleware and you have to buy licensing to get at the good stuff. I guess sharepoint is easier to replace with an open source CMS.

Re:A Little Offtopic (1)

realsablewing (742065) | more than 5 years ago | (#27128725)

While there Open Source Alternatives for groupware may not be as robust, there is Lotus Notes which does run under many different OS's. Not necessarily a solution I would be fond of but there is software out there to support groupware functions.

Re:A Little Offtopic (0)

Anonymous Coward | more than 5 years ago | (#27128909)

Lotus Notes is not a solution to any problem, ever

More information on what you want to lock down? (1)

realsablewing (742065) | more than 5 years ago | (#27128695)

It would help to have more information on what you want to lock down. If you want to prevent people from running as administrator and being able to install whatever they want, that's built in to Linux with the permissions set. Setup a user template for the different users you need, with different permissions for the directories, create groups and assign them to those directories and things are limited.

And using NIS+ [linux-nis.org] for managing the users, you can setup users one one main server with mirrors, have users space and environment be loadable on various desktops with a common file system and other nice things. The problem with NIS are security holes but I believe later versions have addressed some of those problems, if not, I'm sure someone will comment accordingly.

Re:More information on what you want to lock down? (5, Informative)

man_of_mr_e (217855) | more than 5 years ago | (#27128973)

Unfortunately, few people in the Unix world seem to grasp what Group Policy is used for in Windows.

It's not simply preventing users from installing software.

Group policy is a set of policies that gevern everything from security policies, to application policies (for instance, say you want all users in a specific AD OU to use a specific proxy server, or maybe you want to limit all computers in a given lab from being able to use an MSN Messenger.

GP can be assigned to specific computers, groups of computers, users, groups of users, and a whole host of situations. The nice thing about it is that it's AD wide, and controls the user or the computer regardless of where, or what may be installed on the machine or how it's configured locally.

Time to re-evaluate your policies? (0)

Anonymous Coward | more than 5 years ago | (#27128715)

Perhaps you might re-examine the need to treat your desktop users like wayward children with forcible policy constructs.

Nothing is quite so onerous as some entity who believes they have possession of the one correct answer formula to which all much subscribe.

What about Lanscape from Canonical? (0)

Anonymous Coward | more than 5 years ago | (#27128729)

Network system and package management tools:

http://www.canonical.com/projects/landscape/landscape-tour/

Re:What about Lanscape from Canonical? (1)

ranok (1236468) | more than 5 years ago | (#27128919)

That's what I immediately thought of as well. You can group systems into groups, and also not have to worry about off-line systems.

3 years ago (or so) ... (4, Insightful)

DF5JT (589002) | more than 5 years ago | (#27128731)

I remember an article about KDE's long term strategy to be just that: an enterprise ready Desktop with fine grained policies, central administration and all the fluff that makes windows enterprise-ready and the de facto standard for the desktop.

IToday, we have a colorful disaster that isn't even as usable as its predecessor. Developers should have focused on the need for an enterprise desktop that could actually make a dent in MS corporate sales. Instead we got useless eye candy.

The fault, of course, lies with the big distributions that pride themselves on providing enterprise ready Linux. Enterprise sans le Desktop. Useless wanking. The requirements for an enterprise ready desktop are out there for anyone to see and it's not just "applications" as everyone usually points out. It's the ability for administrators to create and maintain a usable desktop according to official corporate policies. No more and no less.

policies (3, Insightful)

TheSHAD0W (258774) | more than 5 years ago | (#27128737)

locking down Linux terminals to comply with company policies

Sooo, what exactly ARE these company policies?

This article looks like a troll. (-1, Troll)

Anonymous Coward | more than 5 years ago | (#27128739)

Indeed unix systems and mainframes handled all these issues for ages. Depending what he's trying to lock down, he should just lock it down.

Is he afraid of people with root access messing up stuff on the computers -- his answer should be found with SELinux policies.

Is he just looking for some windows-GUI-admin-tool for linux? Then he should just hire someone who knows something.

Is he a troll bought by Microsoft to hype ActiveDirecory?

I think so.

Re:This article looks like a troll. (1)

east coast (590680) | more than 5 years ago | (#27128879)

Is he just looking for some windows-GUI-admin-tool for linux? Then he should just hire someone who knows something.

You must be new here. A good 95% of all AskSlashdot questions could be answered by saying "just hire someone who knows something."

While it is an accurate answer it's also interesting to see some of the ideas that get beat around. Who knows, this series of threads may spur someone to start a project that has real impact on Linux as an enterprise desktop OS.

Pessulus (2, Informative)

Simon80 (874052) | more than 5 years ago | (#27128759)

Pessulus [gnome.org] is a lockdown editor for GNOME. It is included is the admin suite since 2.14.

What's wrong with that?

What do you need to "remotely manage", anyway? (1, Insightful)

Anonymous Coward | more than 5 years ago | (#27128783)

That's a Microsoft paradigm, born from forcing the square peg of multi-user shared resources onto a single-user-owns-the-world system. Linux and other Unix operating systems were designed from the ground up to be secure multi-user operating systems. (And all you Microsoft-paid astroturfing fanbois who want to dispute that can FOAD. Just look at the mess that's UAC and the need for Microsoft to break it for their own use.)

Just set up default menus, and if a user mucks them up blow away the .g* (or whatever) configuration files/directories in the user's home directory.

Because anyone who knows what they're doing can run "unsupported" apps on any computer they can log onto anyway.

Enterprisey (1)

MrEricSir (398214) | more than 5 years ago | (#27128795)

Windows is more "enterprisey" than Linux, and that's bad... for Linux?

Don't forget to put the cover sheets on your TPS reports.

Seems to me that Linux is not the problem (1)

bugs2squash (1132591) | more than 5 years ago | (#27128853)

so much as the windowing environment. Surely kde or gnome could come up with a particular recipe that hit most of the major requirements. Maybe even have a stab at working with an AD server to download its own group policy.

Re:Seems to me that Linux is not the problem (1)

magamiako1 (1026318) | more than 5 years ago | (#27128937)

bugs2squash:

The question isn't whether or not it's possible, it surely is. The question is whether or not it has been done, tested, and proven.

It has not.

Back in the old days ... (2, Funny)

PPH (736903) | more than 5 years ago | (#27128859)

...we just used a script that called useradd pointing to the appropriate skeleton directory and then called chown/chmod to keep people from modifying the rc files in their home directories.

Really smart users can probably find a way around this. But then at a company I used to work for, we could never lock down Windows NT to keep the shop floor mechanics from setting the wallpaper to a Pamela Anderson, Tommy Lee photo. So I guess its all relative. You may need users that are dumber than a high school dropout welder.

for those of us who aren't in big corporations (0)

Anonymous Coward | more than 5 years ago | (#27128885)

For those of use who aren't in big corporate environments...what do you mean by locked down? Ability to map your home directory from the network on login? Keeping systems up to date and free of unauthorized changes? Preventing network access outside of using the company proxy server? Forbidding users from changing their desktop wallpaper?

Seems like each of those tasks is something a little different. For general administration, it seems like you could write a script that would scp your updates to each machine, and use ssh to run them. Networking, some clever use of ipchains to only connect to the proxy. The computers shouldn't allow major configuration changes without a root password, and maybe cosmetic changes could be prevented by changing ownership of the config files to root. There may not be one single gpedit.msc tool, but all the functionality is probably there.

Canonical Landscape (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#27128905)

If you are using Ubuntu on your desktops, you can use Canonical's Landscape service to manage packages across all machines. I presume it can manage user accounts and group permissions, which really is all you need to manage user activities in a generally-similar way to the Windows Group Policies.

See http://www.canonical.com/projects/landscape

And no, I am not affiliated with Canonical, though I have assisted the diagnosis of Ubuntu bugs.

That's an easy one (0)

Anonymous Coward | more than 5 years ago | (#27128997)

I'm not much of a Linux admin, but I have noted that if you have a big beefy .45 in your hand, it gets people's attention and they tend to stay a little more focused on the idea you are trying to get across to them... ..just sayin'

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...